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Once Again, The Back Story... 
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In the past, I've talked about 
BasicConstraints . . . 
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Certificate Chaining 



VeriSign 



I Intermediate I 
CA 
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HOW DO WE VERIFY THESE THINGS? 
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What they say: 

Verify that the name of the leaf node is the 
same as the site you're connecting to. 

Verify that the leaf certificate has not expired. 

Check the signature. 

If the signing CA is in our list of trusted root 
CAs, stop. Otherwise, move one up the chain 
and repeat. 
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Here Be Dragons 



Verifying a Certificate Chain to the Root CA 



V*f1lV vaJlAy per kid md unify IhnI Ihis 
:i sigrmd bf Iho-inM CA. Bbcbusb lh» 
nMt CA is IrusMd, vnrfcotian sicps htm. 



Vht\fy vtsWtSHy period Hid vniify Ihnt ihis 
is skjrrnd bf CA One. Bftcaus* CA Cnfr is I 
nH truslAd, 1ho ntal cnrtrlitsJ* is £to£kfrd. I 



V*<*¥ v6Hilu p*»lGd 4i"d writy Bltfl Rllfi 
is ii0rttd by CA T#0. BWtoJSr GATWO 
it hfttTtUrtftd, dlftc* lh* rtojfl toililltal*. 



Very tempting to use a 
simple recursive 
function. 

Everyone focuses on the 
signature validation. 

The result of a naive 
attempt at validation is a 
chain that is complete, 
but nothing more. 
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What if... 



Intermediate 
CA 



Intermediate 
CA 



|thoughtcrime| 
■org 
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What if... 



Intermediate 
CA 



Intermediate 
CA 



|thoughtcrime| 
■org 



paypal.com 
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What they say: 

Verify that the name of the leaf node is the 
same as the site you're connecting to. 

Verify that the leaf certificate has not expired. 

Check the signature. 

If the signing CA is in our list of trusted root 
CAs, stop. Otherwise, move one up the chain 
and repeat. 
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Something must be wrong, but... 

All the signatures are valid. 

Nothing has expired. 

The chain is in tact. 

The root CA is embedded in the browser and 
trusted. 
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But we just created a valid certificate 
for PayPal, and we're not PayPal? 



ioxie Marlinspike 
;isruptive Studies 



The missing piece... 
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.IS A SOMEWHAT OBSCURE FIELD. 



File Edit View Terminal Tabs Help 



I moxie@searching: ~/Desktop/b... '-', moxie@searching: ~/Desktop/b... JC moxie@searching: ~/Desktop/b 
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Back In The Day 

Most CAs didn't explicitly set basicConstraints: 
CA=False 

Whether the field was there or not, most SSL 
implementations didn't bother to check it. 

Anyone with a valid leaf node certificate could 
create and sign a leaf node certificate for any 
other domain. 

When presented with a complete chain, IE, 
Outlook, Konqueror, OpenSSL, and others 
considered it valid... 
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And then in 2002... 

Microsoft did something particularly annoying, 
so I blew this up by publishing it. 

Microsoft claimed that it was impossible to 
exploit. 

So I also published the tool that exploits it. 
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SSLSNIFF 
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SSLSNIFF 
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SSLSNIFF 




sslsniff 






Intercept a connection from 

the client side. 

Generate a certificate for the 

site it is connecting to. 

Sign it with any random valid 

leaf node certificate. 

Pass that certificate chain to 

the client. 



Make a normal SSL 
connection to the server. 
Pass data between client and 
server, decrypting and 
encrypting on each end. 
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Lately, I've been talking about 
SSL Stripping... 
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BRIEF 
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SSL CAN BE USEFUL, BUT HOW ITS DEPLOYED 

matters 
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In the context of web browsing 



SSL is almost never encountered directly. 
It is either encountered as a result of: 

• A 302 redirect from an HTTP URL to an HTTPS 
URL 

• An HTTPS link that a user clicks on from an HTTP 
page. 

- (Think, "My Cart," "Checkout," "Login," etc..) 



ioxie Marlinspike 
;isruptive Studies 




oxie Marlinspike 
disruptive Studies 



I 



Moxie Marlinspike 



We Can Attack SSL 
Before We Even Get There 
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SSLSNIFF 
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SSLSTRIP 
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SSLSTRIP 



Watch HTTP traffic go by. 
Switch <a href="https ://..."> to <a href="http://..."> 
and keep a map of what you've changed. 
Switch Location: https://to Location: http:// 
and keep a map of what you've changed. 




sslstrip 



Ha 
r 1 
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SSLSTRIP 



Watch HTTP traffic go by. 
When we see an HTTP request for a URL that we've 
stripped, proxy that out as HTTPS to the server. 
Watch the HTTPS traffic go by, log everything that we 
want, and keep a map of all relative, CSS, and JS 
links that go by. 




sslstrip 



r 1 
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How Does It Look? 



File Edit View History Bookmarks Tools Help 



^ ^ T ®3 d 1ssf [*3\ https://Www.google.com/accounts/ServiceLogin7servicG ▼! |O t 



Most Visited^ # Getting Started M Latest Headlines^ 



Gsdil 



Welcome to Gmail 



bA.Vyk- 



A Google approach to email. 



Gmail is a new kind of webmail, built on the idea that email can be more intuitive, 
efficient, and useful. And maybe even fun. After all, Gmail has: 



Less spam 

Keep unwanted messages out of your inbox with Google's 
innovative technology. 

Mobile access 

Read Gmail on your mobile phone by pointing your phone's web 
browser to http://gmail.com/app. Learn more 

Lots of space 

Over 7290.461681 megabytes (and counting) of free storage so 
you'll never need to delete another message. 



Sign in to Gmail with your 

Google Account 



Username:^ 
Password: \ 






r~J Remember me on this 
computer. 
Sign in | 



I cannot access 



Sign up for Gmail 

About Gmail New features! 



©2009 Google - Gmail for Organize log Terms - Help 



| Done 



| www.google.com ^ | 



How Does It Look? 



File Edit View History Bookmarks Tools Help 
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3 Most Visited T #* Getting Started Latest Headlines' 



Gh il 



Welcome to Gmail 



hytirt^L 



A Google approach to email. 



Gmail is 
efficient, 



d? 



a new kind of webmail, built on the id* uiv;-j -iri.iil can be more intuitive, 
and useful. And maybe even fun. After all, Gmail has: 

Less spam 

Keep unwanted messages out of your inbox with Google's 
innovative technology. 

Mobile access 

Read Gmail on your mobile phone by pointing your phone's web 
browser to http://gmail.com/app. Learn more 

Lots of space 

Over 7290.462157 megabytes (and counting) of free storage so 
you'll never need to delete another message. 



Sign in to Gmail with your 
Google Account 



Username:P 
Password: \ 






[~J Remember me on this 
computer. 
Sign in | 

I cannot access my account 



Sign up for Gmail 

About Gmail New features! 



i ■ 



| Done 



T 



How Does It Look? 



800 Gmail: Email from Google 


"1 
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GHdil 



Welcome to Gmail 

A Google approach to email. 

Gmail is a new kind of webmaiL built on the idea that email can be more intuitive, efficient, and useful. And maybe even 
fun. After all. Gmail has: 



Mobile access 

Read Gmail on your mobile phone by pointing your phone's web browser to http:^gmail.com/app. 



Lots of space 

Over 7295.652889 megabytes (and counting) of free storage so you'll never need to delete another 



Sign in to Gmail with your 

Google Account 

Usemame: || \ 

Password: 

□ Remember me on this 
computer. 



Sign up for Gmail 



I erms - Help 



How Does It Look? 



Gmail: Email from Google 
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Gigail 



Welcome to Gmail 

A Google approach to email. 

Gmail is a new kind of webmail. built on the idea that email can be more intuitive, efficient, and useful. And maybe even 
fun. After all. Gmail has: 



£ 

m 



Mobile access 

Read Gmail on your mobile phone by pointing your phone's web browser to http://gmail.comJapp. 



Lots of space 

Over 7295.653389 megabytes (and counting) of free storage so you'll never need to delete another 



Sign in to Gmail with your 

Google Account 



Username: 
Password: 



'_' Remember me on this 
computer. 



Sign up for Gmail 

About Gmail Mew i. 



©2009 Google - Gmail for OrqaniZ3ti:.:r '...nnil L I.:::; erms - Help 



Where can we go from here? 



ioxie Marlinspike 
;isruptive Studies 



Where do we need to go from here? 
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What's with certificates, anyways? 



X509Certificate 

Version 

Serial Number 

Issuer 

Validity (not before X or after Y) 

Subject 

PublicKey 
SignatureAlgorithm 
Signature 
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SignatureAlgorithm 
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What's with certificates, anyways? 



X509Certificate 
Version 
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What's with certificates, anyways? 



X509Certificate 
Version 
Serial Number 



Issuer 



Validity (not before X or after Y) 
Subject 
PublicKey 
SignatureAlgorithm 



Signature 




lilKsWlJiJ 
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The Big Three 
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SSL/TLS Handshake Beginnings 



ClientHello 



I Egg 



ServerHello, ServerCertificate 
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SSL Handshake Beginnings 



1 P ESI https:tfwww.paypal.com/ \ v \\ 






Server Type: IMAP Mail Server 


Server Name: f i ma p. mail, com] I Port: | 993 | Default: 99 




UserNarne: 1 rnoxie 





| Login Options 

Protocol: I p^ IRC 



Usemarne: |moxiern 
Server: f irc.freenode.net 



X509Certificate 
Version 
Serial Number 
Issuer 
Validity 



Subject 

PublicKey 
SignatureAlgorithm 
Signature 
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The Problems For Us Begin 




Attacker 



1=51 

P 



ClientHello 



ServerHello, 
ServerCertificate? 
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Let's start by looking back once more. 
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IN 2000, THINGS WERE DIFFERENT. 
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Notaries! 
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Identification! 
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Phone Calls! 
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Actual people involved... 
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That is a bygone era 
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These days it's all about: 
online domain validation 
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File Edit View History Bookmarks Tools Help 
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^ Most Visited v ^Getting Started Q Latest Headlines^ 



©thawtc 
.."- a trust ; I 'u < 



Jts a ■ - 1 _- - . i , i .,i .. ,- 



worldwide sites: Dentst h Espaiiol Franpais Ilalinno 

C ] [ ] ■» [sitemap] 
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BUY SSL CERTIFICATES 




J SSL Certificates 
^|j^J EV SSL Certificates 
^jl^y Code Signing 



| SSL Certificates 
. Check Order Status 
. Reissue SSL Certificates 

FREE INTERNET SECURITY GUIDES 

free@ Secure SSL oata transfer online 
free@ Secure your Apache or IIS server 
freeS Step-up SSL encryption with 56C 



Sec urea Web Server 
Manage Multiple Certificates 
Sec ure Your Code 
Secure Your E-mail 
Offer the Highest Possbte 
Encryption 



Extended Validation SSL 
thawte Secures IDNs 
When is a Site Real^ Secure 
Register for product updates 
Facts on SSL 
Key and CSR Generation 
Chech your CSR 
Submit Enquiry Online 



■ Merchants 

■ Hosting Companies 

■ Resellers 

■ Registrars 



■ Educatiora. 

■ Technology Partners 



ft NEW Extended 



- ma 



f r ee S Sign code for sec ure download 
freeS Manage multiple SSL certificates 
freeS Browse Internet security guides... 

21 day free trial - 



lhawte SITE SEAL 






■ thawte 

Secured Seal 

■ About 


Secure dU 

lDD9-0E-ff| 







HAVE A QUESTION? 



% 



A f™^H 
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I File Edit View History Bookmarks Tools Help 



| ^ v SS Wt IjjJS S ^https://www.thawte.com/process/retail/new_ssll23?language= 

grj M ost Vi s ited v ^ G etti ng Sta rted @ Latest H ea dl i nes v 



| [EN 



_m 



■ new csr required 

Please copy and paste your Certificate Signing Request (CSR) into the space below. 



Paste your new CSR here. Include the full BEGIN and END Im 
generated by your software. 



.NBgNVBAFj 
WBAoTDlU 
JBQIRPUj " 
iAOGCSqG 



BEGIN CERTIFICATE REQUEST — 

Ml I BvTCC AS YC AQAwfTELMAkGA 1 UEBhMCQOEx DzAN I 
IZWJIYzERMABG A 1 UEBx MITWSudHJlYWwiG DAWBgNVBAoTDJ 

WFRSQUN LTT1 IgS U5DLJ ETMBEGA lUECiMKWFhYVFJBQ 1 RPUj| 

MBfcGAlUEAiM:Sd3d3Lrih4eHRyYVK"N0b3luY29tMIGfMA0GCS( 

DOEBAQUAA4G N ADC BLQKBgQDIaiwiK)iiVtWVq7aCyMYFM6zrTl 

BDTMjg* 

FpQaZU5va5TEZtiGCOeSj6+ctn'5tm'JYtwZSPbadiTlL9tiZ 

H .Eh+ 1G I + wCklTOFDHEl 



U E_ 



Hint or mat ion 
Customers registered in the 
United States should ensure 
that the state name included in 
the CSR is written out in fid. 
For example: California. 
Massachusetts etc. Please do 
not make use of abbreviated 
state names, or state codes. 

NOTE: Please follow the 
thawte Key Generation 
Guidelines on our support 
s ite to generate your CSR . 



> click for csr example > read a 



e about a csr? > test your c 



If the certificate you are requesting is strictly for a 
please c Ik: k off the Intranet cert option below 



For Intranet use only?: O yes ®n 



■ additional licenses 



Additional licenses are required to secure multple servers with one certificate.This 
option should only be used if all of your servers have the same common name and 
have the same software installed on each server to be licensed. Click here for 
more information. 



3T that will not be publicly accessible from the Internet, 



B Information 
- You will be able to add 
additional licenses to this 
certificate during its lifecycle. 

-You will not be able to 
remove licenses from a 
certificate once allocated. 



www.thawte.com S 
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PKCS #10 



CertificateRequest 
Version 
Subject 
PublicKey 
Attributes 
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CertificateRequest 
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PKCS #10 



CertificateRequest 
Version 




Subject 




PublicKey 
Attributes 





www.bankofamerica.com 
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PKCS #10 



CertificateRequest 
Version 




Subject 




PublicKey 
Attributes 





WWW, 



bankofamerica.com 
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PKCS #10 



CertificateRequest 
Version 




Subject 




PublicKey 
Attributes 





WWW, 



bankofamerica.com 



WHOIS Lookup 
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PKCS #10 



CertificateRequest 
Version 




Subject 




PublicKey 
Attributes 





WWW, 



bankofamerica.com 



WHOIS Lookup 



Email admin@bankofamerica.com 
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PKCS #10 



CertificateRequest 
Version 




Subject 




PublicKey 
Attributes 





WWW 



bankofamerica.com 
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PKCS #10 



CertificateRequest 
Version 




Subject 




PublicKey 
Attributes 





bankofamerica.com 
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PKCS #10 



CertificateRequest 
Version 
Subject 
PublicKey 
Attributes 



certificate.authoritiel 
s.are.a.total.ripoff. 



bankofamerica.com 
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PKCS #10 



CertificateRequest 
Version 




Subject 




PublicKey 
Attributes 







certificate.authoritie 
s.are.a.total.ripoff. 



bankofamerica.com 
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Subjects 



DistinguishedName 
Country 
State 
Locale 
Organization 
Organizational Unit 
Common Name 
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Subjects 



DistinguishedName 
Country 
State 
Locale 
Organization 
Organizational Unit 
Common Name 



The X.509 standard is 
a total nightmare. 

Three revisions, 
twenty years. 

Parts of the standard 
have literally been 
"lost" and then later 
"found" again. 
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Subjects 



DistinguishedName 
Country 
State 
Locale 
Organization 
Organizational Unit 
Common Name 



The original vision for the 
DN was that each DN would 
fit into some global Directory 
Information Tree. 

In practice, the standard is 
weak, everyone does 
everything differently, and 
the global DIT never 
materialized. 
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Subjects 



DistinguishedName 
Country 
State 
Locale 
Organization 
Organizational Unit 
Common Name 



"There is nothing in any of these 
standards that would prevent me 
from including a 1 gigabit MPEG 
movie of me playing with my cat 
as one of the RDN components of 
the DN in my certificate." 

-- Bob Jueneman on IETF-PKIX 
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Subjects 



DistinguishedName 
Country 
State 
Locale 
Organization 
Organizational Unit 
Common Name 



www.bankofamerica.com 
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commonName 



SEQUENCE {{2543}, StringType( SIZE( 1 ...64 ) ) } 



IA5String: 

• 0x16 -ID 

• 0x05 - Length (5 Chars) 

• 0x76, 0x61 , 0x6c, 0x75, 0x65 



-v, a, I, u, e 
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CN Encoding 



Essentially, the CN field is represented as a 
PASCAL String. 



Oxe 



w 


w 


w 




p 


a 


y 


P 


a 


1 




c 





m 



This is different from how C strings are 
represented. 



w 



w 


w 




p 


a 


y 


P 


a 


1 




c 





m 


\0 
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PKCS #10 Subject 



DistinguishedName 
Country 
State 
Locale 
Organization 
Organizational Unit 
Common Name 




cnme.org 

^ www.paypal.com 
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PKCS #10 Subject 



Common Name 



www.thoughtcrime.org 
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PKCS #10 Subject 



Common Name 



verisign.eats.children.thoughtcrime.org 
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PKCS #10 Subject 



Common Name 
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PKCS #10 Subject 



Common Name 



oxie Marlinspike 
/isruptive Studies 



PKCS #10 Certificate Signing 
Request 



CertificateRequest 
Version 
Subject 
PublicKey 
Attributes 



www.paypal.com\0.thoughtcrime.org 
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PKCS #10 Certificate Signing 
Request 



CertificateRequest 
Version 
Subject 
PublicKey 
Attributes 



www.paypal.com\0 



thoughtcrime.org 



WHOIS Lookup 



And contact... me! 
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Our Original Scenario 




Attacker 



1=51 

P 



ClientHello 



ServerHello, 
ServerCertificate 

[www.paypal.comVO.thouc^^'''^' 1 ^ 
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Our Original Scenario 




jj https:;/www,paypal,com/ 



X509Certificate 

Version 

Serial Number 

Issuer 

Validity 

Subject 

PublicKey 
SignatureAlgorithm 
Signature 
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Our Original Scenario 



char ^destination = getDomainWeAreConnectingTo(); 
char *commonName = getCommonNameFromCertificate(); 
bool everythinglsOk = (strcmp(destination, commonName) == 0); 
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In memory, though, 



char ^destination 



char *comimonNanrie 
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In memory, though, 



char ^destination 



char *comimonNanrie 
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In the eyes of most SSL 

IMPLEMENTATIONS, THIS CERTIFICATE IS 

completely valid for www.paypal.com 
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What are "most" SSL implementations? 

• Web Browsers 

• Firefox (all versions), IE (all versions), Lynx, Curl, 

• Mail Clients 

• Thunderbird, Outlook, Evolution 

• Chat Clients 

• Pidgin, AIM, irssi, centericq 

• SSL VPNs 

• AER Citrix, etc... 
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A First Cut: updated sslsniff 



sslsniff 



1=51 

P 



Iff "null prefix attack" certificate 
is available 
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HOW DOES IT LOOK? 



% 




Q©(1] 


File Edit View History Bookmarks Tools Help 




^ v SS Mt IPD https:flwww.google.com/accounts/ServiceLogin?service=rnail&passive=tnie&r 


| v| |E|v| Google 


• 
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V"l|Vl Welcome to Gmail 



iBdil 



A Google approach to email. 

Gmail is built or the idea that email can be more intuitive, efficient, and useful. And maybe even fun. 
After all, Gmail has: 

®Less spam 
Keep unwanted messages out of your inbox with Google's innovative technology. 

f~) Mobile access 
^f Read Gmail on your mobile phone by pointing your phone's web browser to 
http://gmail.com/app. Leam more 

^§5^ L- * 5 of space 

wKf Over 7338. 192289 megabytes (and counting) of free storage so you'll never need to 
delete another message. 



Sign in to Gmail with your 

Google Account 

Usemame: [ 

Password:! 



□ Remember me on this 
computer. 

I Si 9" '" I 

I cannot access my account 



Latest News from the Gmail Blog 

® 
Tip: Check and reply from multiple emaii addresses in Gmail 
Fri Jun 12 2009 

It's that time of year when students are graduating, and in many cases getting yet another email address 
to... 
More posts » 



New to Gmail? It's free and easy. 



Create an account » 



A::o.r. Cvnail Mew features! 



(3 2009 Google - Gmail for Organizations - Gmail Blog - Terms - Help 



www.google.com £=,■ 
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HOW DOES IT LOOK? 



% 
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File Edit View History Bookmarks Tools Help 




^ v SS Mt IPD https:flwww.google.com/accounts/ServiceLogin?service=rnail&passive=tnie&r 


| v| |E|v| Google 


• 






gr] Most Vi sited v ^Getting Started Qj Latest Headlinesv 



V"l|Vl Welcome to Gmail 



iBdil 



A Google approach to email. 

Gmail is built or the idea that email can be more intuitive, efficient, and useful. And maybe even fun. 
After all, Gmail has: 

®Less spam 
Keep unwanted messages out of your inbox with Google's innovative technology. 

f~) Mobile access 
^f Read Gmail on your mobile phone by pointing your phone's web browser to 
http://gmail.com/app. Leam more 

^§5^ L- * 5 of space 

wKf Over 7338. 192289 megabytes (and counting) of free storage so you'll never need to 
delete another message. 



Sign in to Gmail with your 

Google Account 

Usemame: [ 

Password:! 



□ Remember me on this 
computer. 

I Si 9" '" I 

I cannot access my account 



Latest News from the Gmail Blog 

® 
Tip: Check and reply from multiple emaii addresses in Gmail 
Fri Jun 12 2009 

It's that time of year when students are graduating, and in many cases getting yet another email address 
to... 
More posts » 



New to Gmail? It's free and easy. 



Create an account » 



A::o.r. Cvnail Mew features! 



(3 2009 Google - Gmail for Organizations - Gmail Blog - Terms - Help 
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HOW DOES IT LOOK? 



Ill 

General Media Permissions 



-^ --•-■-^-^-■--■-^'Miiiill 



Web Site Identity 

Web site: www.google.com 

Owner: This web site does not supply identity information. 

Verified by: 



This web site provides a certificate to verify its identity. 



Privacy & History 

Have I visited this web site before today? 
Is this web site storing information 

(cookies) on my computer? 

Have I saved any passwords for this web 

site? 



Yes, 9 



| View Certificate j 



| View Cookies | 

| View Saved Passwords j 



Technical Details 

Connection Encrypted: High-grade Encryption (RC4 128 bit) 

The page you are viewing was encrypted before being transmitted over the Internet. 
Encryption makes it very difficult for unauthorized people to view information 
traveling between computers. It is therefore very unlikely that anyone read this page 
as it traveled across the network. 
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General Media Permissions 



Web Site Identity 

Web site: www.google.com "^^^^^^^^^^^^^^™ 

Owner: This web site does not supply identity information. 

Verified by: 



This web site provides a certificate to verify its identity. 



Privacy & History 

Have I visited this web site before today? 
Is this web site storing information 

(cookies) on my computer? 

Have I saved any passwords for this web 

site? 



Yes, 9 



| View Certificate j 



| View Cookies | 

| View Saved Passwords j 



Technical Details 

Connection Encrypted: High-grade Encryption (RC4 128 bit) 

The page you are viewing was encrypted before being transmitted over the Internet. 
Encryption makes it very difficult for unauthorized people to view information 
traveling between computers. It is therefore very unlikely that anyone read this page 
as it traveled across the network. 
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Disadvantages 
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i) Targeted attacks are kind of lame. 



ioxie Marlinspike 
;isruptive Studies 



Maybe there's another trick in here 



SOMEWHERE... 
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File Edit Options Buffers Tools C Help 



D^g * □ 



SB@S K® 



-u:** ^scratch* 
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Universal Wildcard 



"\0.thoughtcrime.org 
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Universal Wildcard 



.thoughtcrime.org 
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Other Weird Stuff 



(www.paypal.com|mail.google.com| 
www.etrade.comlwww.bankofamerica.com 
www.wachovia.com|www.pnc.com| 
www.wellsfargo.com)\0.thoughtcrime.org 
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And... your remote exploit. 



144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp)) 

145 register intt,p2,p1 = 1; 

146 int cp; 



tiile(1){ 
for(cp=1;exp[cp] 
if(exp[cp] == '\ 



')';cp++) 



for(p2 = 0;(exp[p1] != |) & 
if(exp[ P 1]=='\V) 

e2[p2++] = exp[p1++ 
e2[p2] = exp[p1]; 



) && (p1 !=cp);p1++,p2 



for (t=cp+1 ; ((e2[p2] = exp[t]) != 0); ++t,++p2) {} 
if(_shexp_match(str,e2, case_insensitive) == MATCH) 

PORT_Free(e2); 

return MATCH; 
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And... your remote exploit. 



144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp)); 



register int t,p2,p1 = 1; 
int cp; 



for(cp=1;exp[cp] != ')';cp++) 
if(exp[cp] == '\Y) 



for(p2 = 0;(exp[p1] != |) & 
if(exp[p1]=='\Y) 

e2[p2++] = exp[p1++ 
e2[p2] = exp[p1]; 



') && (p1 !=cp);p1++,p2 



for (t=cp+1 ; ((e2[p2] = exp[t]) != 0); ++t,++p , LJ 
if(_shexp_match(str,e2, case_insensitive) == MATCH) 

PORT_Free(e2); 

return MATCH; 
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And... your remote exploit. 



144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp)); 



1 45 register int t,p2,p1 = 1 ; 

146 int cp; 
147 

148 whileMW 



149 for(cp=1;exp[cp] != ')';cp++) 



if(exp[cp] == 



for(p2 = 0;(exp[p1] != |) & 
if(exp[p1]=='\V) 

e2[p2++] = exp[p1++ 
e2[p2] = exp[p1]; 



') && (p1 !=cp);p1++,p2 



for (t=cp+1 ; ((e2[p2] = exp[t]) != 0); ++t,++p2) {} 
if(_shexp_match(str,e2, case_insensitive) == MATCH) 

PORT_Free(e2); 

return MATCH; 
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And... your remote exploit. 



144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp)); 



1 45 register int t,p2,p1 = 1 ; 

146 int cp; 
147 

148 whileMW 



149 for(cp=1;exp[cp] != ')';cp++) 



if(exp[cp] == 



for(p2 = 0;(exp[p1] ! 
if(exp[p1]=='\V) 



I 1 ) && (p1 !=cp);p1++,p2 



155 e2[p2] = exp[p1]; 



for (t=cp+1 ; ((e2[p2] = exp[t]) != 0); ++t,++p; 
if(_shexp_match(str,e2, case_insensitive) == MATCH) 

PORT_Free(e2); 

return MATCH; 
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And... your remote exploit. 



(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com 
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And... your remote exploit. 



(AAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com 



No signed signature required! 

Possible to sneak non-ASCII characters past the NSS filters. 

This yields something exploitable in Firefox, Thunderbird, Evolution, Pidgin, and AIM. 
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A Second Cut: sslsniff with 




WILDCARD SUPPORT 



sslsniff 



m 



Perform MITM if "null termination attack" cert is available. 

Or perform MITM with "universal wildcard" cert if client is NSS. 

Moxie Marlinspike 



A Second Cut: updated sslsniff 



sslsniff 



Watches network and fingerprints clients for 
level of vulnerability. 

Every NSS client's communication is 
intercepted - either with a specific "null 
termination" certificate, or with the "universal 
wildcard" certificate. 

Every non-NSS client that is vulnerable is 
intercepted with a "null termination" certificate if 
available for the destination host. 

Non-vulnerable clients are left alone to avoid 
detection. 
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What do we have to worry about? 
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What do we have to worry about? 



1 ) Certificate Revocation 



2) Updates 
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What do we have to worry about? 



1 ) Certificate Revocation 



It would be unfortunate if some bitter Certificate 
Authority decided to revoke our universal 
wildcard certificates or any of our null- 
termination certificates. 



2) Updates 



It would be unfortunate if some bitter SSL 
implementation decided to start paying attention 
to how ASN.1 is formatted. 
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What do we have to worry about? 



1) Certificate Revocation 



These days, it's all about Online Certificate Status 
Protocol (OCSP). 

Whenever a SSL stack sees a new certificate, it makes 
a quick request to the OCSP URL that the signing CA 
embedded in it. 

The SSL stack receives a signed response from the 
OCSP provider indicating whether the certificate has 
been revoked or not. 
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Defeating OCSF 



OCSPResponse ::= SEQUENCE { 

responseStatus OCSPResponseStatus, 

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL 



oxie Marlinspike 
)isruptive Studies 



Defeating OCSF 



OCSPResponse ::= SEQUENCE { 

responseStatus OCSPResponseStatus, 

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL 

} 
ResponseBytes ::= SEQUENCE { 

responseType OBJECT IDENTIFIER, 

response OCTET STRING 



BasicOCSPResponse ::= SEQUENCE { 
tbsResponseData ResponseData, 
signatureAlgorithm Algorithmldentifier, 
signature BIT STRING, 

certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL ; 
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Defeating OCSF 



OCSPResponse ::= SEQUENCE { 

responseStatus OCSPResponseStatus, 

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL 

} 
ResponseBytes ::= SEQUENCE { 

responseType OBJECT IDENTIFIER, 

response OCTET STRING 
} 
BasicOCSPResponse ::= SEQUENCE { 

tbsResponseData ResponseData, 

signatureAlgorithm Algorithmldentifier, 



signature BIT STRING, 



[0] EXPLICIT SEQUENCE OF Certificate OPTIONAL ] 
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Defeating OCSF 



OCSPResponse ::= SEQUENCE { 

responseStatus OCSPResponseStatus, 

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL 

} 
ResponseBytes ::= SEQUENCE { 

responseType OBJECT IDENTIFIER, 

response OCTET STRING 
} 
BasicOCSPResponse ::= SEQUENCE { 



tbsResponseData ResponseData, 



signatureAlgorithm Algorithmldentifier, 



signature BIT STRING, 



[0] EXPLICIT SEQUENCE OF Certificate OPTIONAL ] 
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Defeating OCSF 



responseStatus OCSPResponseStatus, 

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL 

} 
ResponseBytes ::= SEQUENCE { 

responseType OBJECT IDENTIFIER, 

response OCTET STRING 
} 
BasicOCSPResponse ::= SEQUENCE { 



tbsResponseData ResponseData, 



signatureAlgorithm Algorithmldentifier, 



signature BIT STRING, 



[0] EXPLICIT SEQUENCE OF Certificate OPTIONAL ] 
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Defeating OCSF 



responseStatus OCSPResponseStatus, 

responseBytes [0] EXPLICIT ResponseBytes 



ResponseBytes ::= SEQUENCE { 

responseType OBJECT IDENTIFIER, 
response OCTET STRING 



BasicOCSPResponse ::= SEQUENCE 



tbsResponseData ResponseData, 



signatureAlgorithm Algorithmldentifier, 



signature BIT STRING, 



[0] EXPLICIT SEQUENCE OF Certificate OPTIONAL ] 
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Defeating OCSF 



OCSPResponse ::= SEQUENCE { 

responseStatus OCSPResponseStatus, ^ 

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL 



OCSPResponseStatus ::= ENUMERATED { 



successful 



(0), -Response has valid confirmations 



malformedRequest (1), -Illegal confirmation request 
internalError (2), -Internal error in issuer 

tryLater (3), -Try again later 

-(4) is not used 
sigRequired (5), -Must sign the request 

unauthorized (6) -Request unauthorized 
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Defeating OCSF 



OCSPResponse ::= SEQUENCE { 

responseStatus OCSPResponseStatus, ^ 

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL 



OCSPResponseStatus ::= ENUMERATED { 



successful 



(0), -Response has valid confirmations 



malformedRequest (1), -Illegal confirmation request 
internalError (2), -Internal error in issuer 



tryLater (3), -Try again later 



-(4) is not used 
sigRequired (5), -Must sign the request 

unauthorized (6) -Request unauthorized 
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Defeating OCSF 



OCSPResponse ::= SEQUENCE { 

responseStatus OCSPResponseStatus = 3, 

responseBytes [0] EXPLICIT ResponseBytes OPTIONAL 
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Defeating OCSF 



OCSPResponse ::= SEQUENCE { 



responseStatus 



OCSPResponseStatus = 3, 
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PROPOSED STANDARD 



Network Working Group 
Request for Comments: 2560 
Category: Standards Track 





VeriSig 




R. Anknev 


CertCo 




\. Malpani 




ValiCert 





X.509 Internet Public Key Infrastructur 



Online Certificate Status Protocol - O 



Status of this Memo 

This document specifies an lnt« ^^or tr 

Internet community, and reques^MMHHHMHMI^^ions for 
improvements. Please refer to the current edition of the "Internet 
Official Protocol Standards" (STD 1) for the standardization state 
and status of this protocol. Distribution of this memo is unlimited. 



Copyright Notice 



Doovriaht (C) The Internet Society (1999). All Riahts Reserved. 
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A Third Cut: ocsp-aware sslsniff 



sslsniff 



Watch network and fingerprints clients for level of 
vulnerability. 

Every NSS client's communication is intercepted - 
either with a specific "null termination" certificate, or 
with the "universal wildcard" certificate. 

Every non-NSS client that is vulnerable is intercepted 
with a "null termination" certificate if available for the 
destination host. 

Non-vulnerable clients are left alone to avoid 
detection. 

Optionally watch for OCSP requests corresponding to 
certificates we're using, and "tryLater" them to defeat 
OCSP. 
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What do we have to worry about? 



2) Updates 



It used to be that people, you know, downloaded and 
installed updates. 

As software gets more complicated, it is inevitably 
shipped with more bugs, and attackers are situated to 
exploit them on a larger scale. 

So some have felt the need to deploy self-updating 
software in order to fix problems rapidly. 
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What do we have to worry about? 



2) Updates 



This is bad news for us, because by standing here and 
talking to you about this stuff, it probably means that 
SSL implementations are going to fix these problems. 

But their update mechanisms in themselves seem like 
kind of a dangerous idea, right? 

Maybe there's something we can do about our problem. 
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Firefox/Thunderbird: A Case Study 

When you install Firefox, it comes with a feature called 
"automatic update service," which happens to be enabled 
by default. 

Here be dragons. 
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Firefox/Thunderbird: A Case Study 



Update Server In The Sky 



Hello, do you have any updates 

for me? Here's my product, version, 

build ID, OS, locale, and channel. 



As a matter of fact, I do. Here's 
an unsigned blob of data - you'd 
do well to install it. 
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Firefox/Thunderbird: A Case Study 

Firefox and Thunderbird depend on their TLS connection to the 
update server to defend them against all possible attacks. 

Code is returned from the update server either as a binary diff 
against the distribution binary the client is running, or as a 
complete image of the binary. 

By default, "minor" updates are downloaded and installed 
silently - only prompting the user to restart their browser once 
everything is done. 

• The update server is the one who reports the version number 
of the update, so it is effectively up to the server whether the 
image it provides is installed silently or not. 
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Firefox/Thunderbird: A Case Study 



As vendors start to release patches for this vulnerability, the update 
mechanisms themselves will be vulnerable. 

All we need is a universal wildcard cert, or alternately a null-termination 
prefix cert for aus2.mozilla.org, and we can take control of the update 
mechanism to deliver payloads of our choice. 

• This could be anything: 

- A rootkit that logs keystrokes. 

- Something that sends all traffic/email through a server of our 
choosing. 

- A completely legitimate image that just happens to include our 
own CA certs. 

- Or, just to be confusing, a totally different web browser ("Thank 
you for updating to Galeon 0.0.3!") or even a completely different 
type of application - notepad.exe comes to mind. 
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Firefox/Thunderbird: A Case Study 

In order to patch your system effectively, you will not be 
able to trust anything that comes through automatic 
updates. 
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A Fourth Cut: update-aware sslsniff 



^^ • Watch network and fingerprints clients for level of 

vulnerability. 

' • Every NSS client's communication is intercepted - either 
with a specific "null prefix" certificate, or with the "universal 
wildcard" certificate. 

• Every non-NSS client that is vulnerable is intercepted with a 
"null prefix" certificate if available for the destination host. 

• Non-vulnerable clients are left alone to avoid detection. 

• Optionally watch for OCSP requests corresponding to 
certificates we're using, and "tryLater" them to defeat OCSP. 

• Optionally watch for Firefox/Thunderbird update polls, and 
respond with a "custom" build. 
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Postscript: 
Stripping NULL is no solution 

Some SSL/TLS implementations (Safari, 
Opera) appear to strip '\0' from commonName 
strings before comparing. 

Thus: 

www.paypal.com\0.thoughtcrime.org 
Becomes: 

www.paypal.com.thoughtcrime.org 
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Postscript: 
Stripping NULL is no solution 

These implementations are vulnerable to a 
variation of our attack. 

The key is that some Certificate Authorities are 
vulnerable to this attack internally. 

• When presented with 
www.paypal.com\0.thoughtcrime.org, some CAs 
internally validate it as www.paypal.com 

• But the whole string 
(www.paypal.comVO.thoughtcrime.org) is what ends 
up in the subject of the cert they later issue. 
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Postscript: 
Stripping NULL is no solution 

So if we register a domain like sitekey.ba 

We can get a certificate for 
sitekey.ba\Onkofamerica.com 

The CAs that are internally vulnerable to this 
attack will validate that certificate against 
sitekey.ba, which we own. 

When the cert is later presented to a SSL 
implementation that strips \0, the certificate's 
common name becomes: 
sitekey.bankofamerica.com 
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Conclusion 



We have a MITM attack that will intercept communication 
for almost all SSL/TLS implementations. 

In the case of NSS (Firefox, Thunderbird, Evolution, AIM, 
Pidgin) we only need a single certificate. 

We've defeated the OCSP protocol as implemented. 

We've hijacked the Mozilla auto-updates for both 
applications and extensions. 

We've got an exploitable overflow. 

In short, we've got your passwords, your communication, 
and control over your computer. 
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